UCF STIG Viewer Logo

Symantec ProxySG NDM Security Technical Implementation Guide


Overview

Date Finding Count (32)
2019-12-20 CAT I (High): 9 CAT II (Med): 21 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-94713 High Symantec ProxySG must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-94711 High The Symantec ProxySG must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
V-94657 High Symantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges.
V-94655 High Symantec ProxySG must be configured to enforce user authorization to implement least privilege.
V-94695 High Symantec ProxySG must use only approved management services protocols.
V-94413 High Symantec ProxySG must enable Attack Detection.
V-94703 High Symantec ProxySG must transmit only encrypted representations of passwords.
V-94707 High Symantec ProxySG must be configured to use only FIPS 140-2 approved algorithms for authentication to a cryptographic module with any application or protocol.
V-94709 High The Symantec ProxySG Web Management Console and SSH sessions must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.
V-94681 Medium Symantec ProxySG must employ automated mechanisms to centrally verify authentication settings.
V-94683 Medium Accounts for device management must be configured on the authentication server and not on Symantec ProxySG itself, except for the account of last resort.
V-94685 Medium Symantec ProxySG must use Role-Based Access Control (RBAC) to assign privileges to users for access to files and functions.
V-94687 Medium Symantec ProxySG must employ automated mechanisms to centrally apply authentication settings.
V-94689 Medium Symantec ProxySG must support organizational requirements to conduct backups of system level information contained in the ProxySG when changes occur or weekly, whichever is sooner.
V-94671 Medium Symantec ProxySG must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-94659 Medium Symantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI).
V-94675 Medium Symantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized modification.
V-94677 Medium Symantec ProxySG must protect the Web Management Console, SSH, and command line interface (CLI) from unauthorized access.
V-94653 Medium Symantec ProxySG must be configured with only one local account that is used as the account of last resort.
V-94699 Medium Symantec ProxySG must configure SNMPv3 so that cryptographically-based bidirectional authentication is used.
V-94697 Medium Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts.
V-94693 Medium Symantec ProxySG must configure the maintenance and health monitoring to send an alarm when a critical condition occurs for a component.
V-94691 Medium Symantec ProxySG must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-94673 Medium Symantec ProxySG must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
V-94701 Medium Symantec ProxySG must be configured to enforce a minimum 15-character password length for local accounts.
V-94661 Medium Symantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-94667 Medium Symantec ProxySG must be configured to support centralized management and configuration of the audit log.
V-94705 Medium Symantec ProxySG must not have a default manufacturer passwords when deployed.
V-94665 Medium Symantec ProxySG must enable event access logging.
V-94679 Medium Symantec ProxySG must back up event logs onto a different system or system component than the system or component being audited.
V-94663 Low Symantec ProxySG must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-94669 Low Symantec ProxySG must generate an alert to the console when a log processing failure is detected such as loss of communications with the Central Log Server or log records are no longer being sent.